Methods and systems for execution of tenant code in an on-demand service environment including utilization of shared resources and inline governor limit enforcement

ABSTRACT

A method for evaluating bytecode in an on-demand service environment. A request to compile source code is received in a multitenant database environment. One or more limit enforcement mechanisms is/are inserted into the source code to monitor utilization of one or more corresponding resources within the multitenant database environment. The source code is compiled to generate executable code. The executable code is executed within the multitenant database environment. Resource utilization is evaluated for the one or more resources in response to executing code corresponding to at least one of the limit enforcement mechanisms.

CLAIM OF PRIORITY

This application claims the benefit of U.S. Provisional PatentApplication 61/326,368 entitled METHODS AND SYSTEMS FOR EVALUATINGBYTECODE IN AN ON-DEMAND SERVICE ENVIRONMENT INCLUDING EFFICIENTUTILIZATION OF SHARED RESOURCES AND GOVERNOR LIMIT ENFORCEMENT, byGregory D. Fee and William J. Gallagher, filed Apr. 21, 2010 (AttorneyDocket No. P001Z1), the entire contents of which are incorporated hereinby reference.

This application claims the benefit of U.S. Provisional PatentApplication 61/326,377 entitled METHODS AND SYSTEMS FOR EVALUATINGBYTECODE IN AN ON-DEMAND SERVICE ENVIRONMENT INCLUDING TRANSLATION OFAPEX TO BYTECODE, by Gregory D. Fee and William J. Gallagher, filed Apr.21, 2010 (Attorney Docket No. P001Z2), the entire contents of which areincorporated herein by reference.

This application claims the benefit of U.S. Provisional PatentApplication 61/326,385 entitled METHODS AND SYSTEMS FOR EVALUATINGBYTECODE IN AN ON-DEMAND SERVICE ENVIRONMENT INCLUDING PROVIDING AMULTI-TENANT, MULTI-LANGUAGE RUNTIME ENVIRONMENTS AND SYSTEMS, byGregory D. Fee and William J. Gallagher, filed Apr. 21, 2010 (AttorneyDocket No. P001Z3), the entire contents of which are incorporated hereinby reference.

CROSS REFERENCE TO RELATED APPLICATIONS

The following commonly owned, co-pending United States patents andpatent applications, including the present application, are related toeach other. Each of the other patents/applications are incorporated byreference herein in its entirety:

U.S. patent application Ser. No. 12/______, entitled “METHODS ANDSYSTEMS FOR EVALUATING BYTECODE IN AN ON-DEMAND SERVICE ENVIRONMENTINCLUDING TRANSLATION OF APEX TO BYTECODE,” by Gregory D. Fee andWilliam J. Gallagher, filed ______, 2010 (Attorney Docket No. P001-B);and

U.S. patent application Ser. No. 12/______, entitled “METHODS ANDSYSTEMS FOR UTILIZING BYTECODE IN AN ON-DEMAND SERVICE ENVIRONMENTINCLUDING PROVIDING A MULTI-TENANT, MULTI-LANGUAGE RUNTIME ENVIRONMENTSAND SYSTEMS,” by Gregory D. Fee and William J. Gallagher, filed ______,2010 (Attorney Docket No. P001-C).

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

Embodiments described herein relate generally to evaluation of bytecodein a database network system. More particularly, embodiments describedherein relate to efficient utilization of shared resources forevaluation of bytecode.

BACKGROUND

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized. The subjectmatter in the background section merely represents different approaches.

In conventional database systems, users access their data resources inone logical database. A user of such a conventional system typicallyretrieves data from and stores data on the system using the user's ownsystems. A user system might remotely access one of a plurality ofserver systems that might in turn access the database system. Dataretrieval from the system might include the issuance of a query from theuser system to the database system. The database system might processthe request for information received in the query and send to the usersystem information relevant to the request.

As an on demand platform, Apex™ provides a set of features for buildingbusiness applications including, for example, data models and objects tomanage data, a workflow engine for managing collaboration of that data,a user interface model to handle forms and other interactions, and a Webservices application programming interface (API) for programmatic accessand integration. These platform technologies support custom applicationsand integrations, and allow developers to build applications utilizingthis on demand model.

Apex code is “on demand,” running without requiring local servers orsoftware. Apex code may run in a multi-tenant environment, providing theeconomic and manageability benefits of a shared service while keepingthe definition, data and behavior of each customer's applicationseparate from each other. For developers, the combination of thesecapabilities with this on-demand, multi-tenant delivery providesconvenience, scalability, and safety of an on-demand database, combinedwith the flexibility and control of a procedural language.

Apex code provides a powerful and productive approach to creatingfunctionality and logic, allowing developers to focus on elementsspecific to their application, while leaving other elements to theplatform's framework. Apex code is a successful and innovative languagein part because of its multi-tenant design. Multitenancy allows Apex toscale to a large number of customers with a relatively modest hardwareinvestment. Apex code is abstracted and governed, utilizing only as manyresources as is allowed.

Performance is a key requirement for any programming language. It isespecially important in a multitenant environment where processor cyclesspent interpreting code for a given customer have a direct and negativeimpact on other customers sharing the same environment. Thus, improvingperformance not only results in quicker response times for users butalso less impact on other tenants in terms of the overall load on thesystem.

All languages tend to have some start-up cost associated with gettingcode into a state where it can be executed. This cost includes, forexample, the processing required to load the executable form of the codeand to link it with dependent code. Unlike most programming languages,however, start-up costs tend to dominate in a multi-tenant languagewhere the interpreter may be called upon to execute code from any one ofpossibly thousands of tenants. The ability to cache executable code toavoid the start-up costs on subsequent requests is limited by the largeworking set. In addition, the requests tend to be relatively short,making the start-up cost a larger proportion of the overall requesttime.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following drawings like reference numbers are used to refer tolike elements. Although the following figures depict various examples,the invention is not limited to the examples depicted in the figures.

FIG. 1 is a block diagram of one embodiment of a multitenantenvironment;

FIG. 2 is a flow diagram of one embodiment of a technique for executingcode in a multitenant environment;

FIG. 3 is a block diagram of an environment where an on-demand databaseservice might be used; and

FIG. 4 is a block diagram of an environment where an on-demand databaseservice might be used.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth.However, embodiments may be practiced without these specific details. Inother instances, well-known circuits, structures and techniques have notbeen shown in detail in order not to obscure the understanding of thisdescription.

General Overview

As used herein, the term multi-tenant database system refers to thosesystems in which various elements of hardware and software of thedatabase system may be shared by one or more customers. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers.

In one embodiment, a multi-tenant database system utilizes tenantidentifiers (IDs) within a multi-tenant environment to allow individualtenants to access their data while preserving the integrity of othertenant's data. In one embodiment, the multitenant database stores datafor multiple client entities each identified by a tenant ID having oneof one or more users associated with the tenant ID. Users of each ofmultiple client entities can only access data identified by a tenant IDassociated with their respective client entity. In one embodiment, themultitenant database is a hosted database provided by an entity separatefrom the client entities, and provides on-demand and/or real-timedatabase service to the client entities.

As used herein, the term bytecode refers to various forms of instructionsets to be executed by a software interpreter. Bytecode instructions arealso suitable for further compilation into machine code. Bytecodeinstructions are processed by software, but have similarities tohardware instructions. Virtual stack machines are common executionenvironments. A bytecode program may be executed by parsing instructionsand directly executing the instructions, one at a time. Some systems,called dynamic translators, or “just-in-time” (JIT) compilers, translatebytecode into machine language as necessary at runtime.

FIG. 1 is a block diagram of one embodiment of a multitenantenvironment. The multitenant environment includes multitenant database100, which includes multiple tenant data sets 110 corresponding to thetenants of the multitenant environment. In one embodiment, each tenanthas a unique tenant ID that is utilized to control access to themultitenant environment. In one embodiment, multitenant database 100stores data for multiple client entities each identified by a tenant IDhaving one of one or more users associated with the tenant ID.

The users of each of the multiple client entities can only access dataidentified by a tenant ID associated with the respective client entity.In one embodiment, multitenant database 100 is a hosted databaseprovided by an entity separate from the client entities, and provideson-demand database service to the client entities. Multitenant database100 further includes shared database engine 120 that provides thefunctionality of multitenant database 100 in operating on tenant datasets 110.

The multitenant environment further includes multitenant code 150, whichincludes multiple tenant logic sets 160 corresponding to the tenants ofthe multitenant environment. In one embodiment, multitenant code 150includes code for multiple client entities each identified by thecorresponding tenant IDs. The users of each of the multiple cliententities can only access code identified by the tenant ID associatedwith the respective client entity. In one embodiment, multitenant code150 is stored in a hosted database provided by an entity separate fromthe client entities, and provides on-demand database service to theclient entities. Multitenant code 150 further includes shared executionengine 170 that provides the ability to execute code represented bymultitenant code 150. In one embodiment, shared execution engine 170 isa virtual machine.

Execution Environment Overview

In one embodiment, Apex is implemented as an Abstract Syntax Tree(AST)-based interpreter. Most compilers parse source code into anintermediate AST form. An AST interpreter executes directly on thegenerated AST in order to interpret the code. A full source code parseis required to compute the AST. Thus, parsing the Apex source code isexpensive.

To reduce this parsing cost, the Apex runtime caches the generated ASTin memcached. The term “memcached” refers to a general-purposedistributed memory caching system often used to speed up dynamicdatabase-driven applications or websites by caching data and objects insystem memory to reduce the number of times an external data source(such as a database or API) must be read. Memcached runs on Unix,Windows and MacOS.

Storage of the AST in memcached requires the AST to be serialized into abyte stream. The AST is comprised of a set of nodes, each representingsome construct in the source code (e.g., a while loop, an addexpression, etc.). The set of nodes can become fairly large, forexample, it can be approximately 10.5 times the source code size interms of heap consumption. In addition, this size consists of a verylarge number of very small Java™ or other bytecode objects.Unfortunately, very large object graphs are expensive to serialize usingJava serialization techniques. Deserializing the AST from memcached isthe dominant cost in many Apex requests. Java is a trademark of SunMicrosystems.

In one embodiment, the Apex interpreter serves as a level of isolationbetween customer code and the host virtual machine (VM). The Apexinterpreter may enforce governor limits and brokers requests to theunderlying platform on behalf of customer code. In one embodiment, theApex interpreter is not a full-fledged Java virtual machine. The Apexinterpeter may delegate to the real Java virtual machine (JVM) forvarious services. Garbage collection is an example of this. In oneembodiment, the Apex interpreter is also able to delegate to the realJVM on a per type basis.

FIG. 2 is a flow diagram of one embodiment of a technique for executingcode in a multitenant environment. The techniques described with respectto FIG. 2 can be implemented by the systems and in the environmentsdescribed herein as well as other systems and environments that providemultitenant functionality.

A memory space is established, 210. In a multitenant environment, atenant may be provided with one or more secure portions of memory toexecute that tenant's code. In one embodiment, the tenant ID is utilizedto determine authorization to access a memory location.

Code to be executed in the memory space is retrieved from themultitenant database, 220. In one embodiment, the code is source codethat will be compiled. In another embodiment, the retrieved code may beexecutable code, for example, bytecode. If the retrieved code has notyet been compiled, the retrieved code is compiled, 230.

In one embodiment, when the source code is compiled, one or moreresource limiter enforcement (or governor) mechanisms are included inthe code at compile time, 230. Multiple types of limiting mechanisms canbe included in the compiled code. By providing limiting mechanisms inthe compiled code, the resulting compiled code can be self-limiting (orself-managing), which may result in a more secure and/or more efficientsystem.

One type of limiting mechanism that may be utilized is a synchronousgovernor. The synchronous governor may monitor one or more performancecharacteristics (e.g., processor usage, memory usage, bandwidthutilization) at pre-selected intervals.

Another type of limiting mechanism that may be utilized is aninterrupt-based governor. Interrupt-based governing results from aninterrupt trigger being placed in the compiled code. In response to aninterrupt, the interrupt service routine monitors one or moreperformance characteristics (e.g., processor usage, memory usage,bandwidth utilization). Interrupt-based governing allows the evaluationto be performed outside the memory space established for the code. Thismay result in a more secure enforcement.

Another type of limiting mechanism is use of a self-incrementing counterthat is incremented by and evaluated by the compiled code duringexecution. That is, each time a monitored operation is performed, acorresponding counter is incremented (or decremented) to monitor use ofan associated resource. Various combinations of incrementing and/ordecrementing counters can be utilized as the code is executed to providethe desired level of monitoring and enforcement.

The compiled code is executed, 240. During execution, one or more limittriggers may be encountered, 250. The code is executed until a limittrigger is encountered, 240, 250. The limit triggers correspond to themonitoring mechanisms described above. For example, during execution, aninterrupt may be triggered by execution of the bytecode. In response tothe limit trigger, 250, an evaluation is performed, 260, to determine ifthe monitored characteristic is over the corresponding limit.

If the monitored characteristic is not over the corresponding limit,260, the code may be allowed to continue execution, 240. If themonitored characteristic is over the corresponding limit, 260, theexecution of the code may be halted or torn down, 270. Thus, source codemay be compiled to provide full or partial self monitoring of resourceutilization that may result in early termination of the code ifdesignated resource limits are exceeded.

System Overview

FIG. 3 illustrates a block diagram of an environment 310 wherein anon-demand database service might be used. Environment 310 may includeuser systems 312, network 314, system 316, processor system 317,application platform 318, network interface 320, tenant data storage322, system data storage 324, program code 326, and process space 328.In other embodiments, environment 310 may not have all of the componentslisted and/or may have other elements instead of, or in addition to,those listed above.

Environment 310 is an environment in which an on-demand database serviceexists. User system 312 may be any machine or system that is used by auser to access a database user system. For example, any of user systems312 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in FIG. 3 (and in more detail in FIG. 4) user systems 312might interact via a network 314 with an on-demand database service,which is system 316.

An on-demand database service, such as system 316, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a multi-tenant database system(MTS). Accordingly, “on-demand database service 316” and “system 316”will be used interchangeably herein.

A database image may include one or more database objects. A relationaldatabase management system (RDMS) or the equivalent may execute storageand retrieval of information against the database object(s). Applicationplatform 318 may be a framework that allows the applications of system316 to run, such as the hardware and/or software, e.g., the operatingsystem. In an embodiment, on-demand database service 316 may include anapplication platform 318 that enables creation, managing and executingone or more applications developed by the provider of the on-demanddatabase service, users accessing the on-demand database service viauser systems 312, or third party application developers accessing theon-demand database service via user systems 312.

The users of user systems 312 may differ in their respective capacities,and the capacity of a particular user system 312 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 312 tointeract with system 316, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 316, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level.

Network 314 is any network or combination of networks of devices thatcommunicate with one another. For example, network 314 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I,” that network will be used in manyof the examples herein. However, it should be understood that thenetworks are not so limited, although TCP/IP is a frequently implementedprotocol.

User systems 312 might communicate with system 316 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 312 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 316. Such an HTTP server might be implemented asthe sole network interface between system 316 and network 314, but othertechniques might be used as well or instead. In some implementations,the interface between system 316 and network 314 includes load sharingfunctionality, such as round-robin HTTP request distributors to balanceloads and distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS' data; however, otheralternative configurations may be used instead.

In one embodiment, system 316, shown in FIG. 3, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 316 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 312 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content.

With a multi-tenant system, data for multiple tenants may be stored inthe same physical database object, however, tenant data typically isarranged so that data of one tenant is kept logically separate from thatof other tenants so that one tenant does not have access to anothertenant's data, unless such data is expressly shared. In certainembodiments, system 316 implements applications other than, or inaddition to, a CRM application. For example, system 16 may providetenant access to multiple hosted (standard and custom) applications,including a CRM application. User (or third party developer)applications, which may or may not include CRM, may be supported by theapplication platform 318, which manages creation, storage of theapplications into one or more database objects and executing of theapplications in a virtual machine in the process space of the system316.

One arrangement for elements of system 316 is shown in FIG. 3, includinga network interface 320, application platform 318, tenant data storage322 for tenant data 323, system data storage 324 for system data 325accessible to system 316 and possibly multiple tenants, program code 326for implementing various functions of system 316, and a process space328 for executing MTS system processes and tenant-specific processes,such as running applications as part of an application hosting service.Additional processes that may execute on system 316 include databaseindexing processes.

Several elements in the system shown in FIG. 3 include conventional,well-known elements that are explained only briefly here. For example,each user system 312 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 312 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 312 to access, process and view information, pages andapplications available to it from system 316 over network 314.

Each user system 312 also typically includes one or more user interfacedevices, such as a keyboard, a mouse, trackball, touch pad, touchscreen, pen or the like, for interacting with a graphical user interface(GUI) provided by the browser on a display (e.g., a monitor screen, LCDdisplay, etc.) in conjunction with pages, forms, applications and otherinformation provided by system 316 or other systems or servers. Forexample, the user interface device can be used to access data andapplications hosted by system 316, and to perform searches on storeddata, and otherwise allow a user to interact with various GUI pages thatmay be presented to a user. As discussed above, embodiments are suitablefor use with the Internet, which refers to a specific globalinternetwork of networks. However, it should be understood that othernetworks can be used instead of the Internet, such as an intranet, anextranet, a virtual private network (VPN), a non-TCP/IP based network,any LAN or WAN or the like.

According to one embodiment, each user system 312 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 316(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 317, which may include an Intel Pentium®processor or the like, and/or multiple processor units.

A computer program product embodiment includes a machine-readablestorage medium (media) having instructions stored thereon/in which canbe used to program a computer to perform any of the processes of theembodiments described herein. Computer code for operating andconfiguring system 316 to intercommunicate and to process webpages,applications and other data and media content as described herein arepreferably downloaded and stored on a hard disk, but the entire programcode, or portions thereof, may also be stored in any other volatile ornon-volatile memory medium or device as is well known, such as a ROM orRAM, or provided on any media capable of storing program code, such asany type of rotating media including floppy disks, optical discs,digital versatile disk (DVD), compact disk (CD), microdrive, andmagneto-optical disks, and magnetic or optical cards, nanosystems(including molecular memory ICs), or any type of media or devicesuitable for storing instructions and/or data.

Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g., extranet, VPN, LAN, etc.) using any communicationmedium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments described herein can be implemented in anyprogramming language that can be executed on a client system and/orserver or server system such as, for example, C, C++, HTML, any othermarkup language, Java™, JavaScript, ActiveX, any other scriptinglanguage, such as VBScript, and many other programming languages as arewell known may be used. (Java™ is a trademark of Sun Microsystems,Inc.).

According to one embodiment, each system 316 is configured to providewebpages, forms, applications, data and media content to user (client)systems 312 to support the access by user systems 312 as tenants ofsystem 316. As such, system 316 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB).

As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g., OODBMS or RDBMS). It should also be understood that “serversystem” and “server” are often used interchangeably herein. Similarly,the database object described herein can be implemented as singledatabases, a distributed database, a collection of distributeddatabases, a database with redundant online or offline backups or otherredundancies, etc., and might include a distributed database or storagenetwork and associated processing intelligence.

FIG. 4 also illustrates environment 310. However, in FIG. 4 elements ofsystem 316 and various interconnections in an embodiment are furtherillustrated. FIG. 4 shows that user system 312 may include processorsystem 312A, memory system 312B, input system 312C, and output system312D. FIG. 4 shows network 314 and system 316. FIG. 4 also shows thatsystem 316 may include tenant data storage 322, tenant data 323, systemdata storage 324, system data 325, User Interface (UI) 430, ApplicationProgram Interface (API) 432, PL/SOQL 434, save routines 436, applicationsetup mechanism 438, applications servers 400 ₁-400 _(N), system processspace 402, tenant process spaces 404, tenant management process space410, tenant storage area 412, user storage 414, and application metadata416. In other embodiments, environment 310 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 312, network 314, system 316, tenant data storage 322, andsystem data storage 324 were discussed above in FIG. 3. Regarding usersystem 312, processor system 312A may be any combination of one or moreprocessors. Memory system 312B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 312Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 312D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks.

As shown by FIG. 4, system 316 may include a network interface 320 (ofFIG. 3) implemented as a set of HTTP application servers 400, anapplication platform 318, tenant data storage 322, and system datastorage 324. Also shown is system process space 402, includingindividual tenant process spaces 404 and a tenant management processspace 410. Each application server 400 may be configured to tenant datastorage 322 and the tenant data 323 therein, and system data storage 324and the system data 325 therein to serve requests of user systems 312.The tenant data 323 might be divided into individual tenant storageareas 412, which can be either a physical arrangement and/or a logicalarrangement of data. Within each tenant storage area 412, user storage414 and application metadata 416 might be similarly allocated for eachuser. For example, a copy of a user's most recently used (MRU) itemsmight be stored to user storage 414. Similarly, a copy of MRU items foran entire organization that is a tenant might be stored to tenantstorage area 412. A UI 430 provides a user interface and an API 432provides an application programmer interface to system 316 residentprocesses to users and/or developers at user systems 312. The tenantdata and the system data may be stored in various databases, such as oneor more Oracle™ databases.

Application platform 318 includes an application setup mechanism 438that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage322 by save routines 436 for execution by subscribers as one or moretenant process spaces 404 managed by tenant management process 410 forexample. Invocations to such applications may be coded using PL/SOQL 434that provides a programming language style interface extension to API432. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned co-pending U.S. Provisional PatentApplication 60/828,192 entitled, PROGRAMMING LANGUAGE METHOD AND SYSTEMFOR EXTENDING APIS TO EXECUTE IN CONJUNCTION WITH DATABASE APIS, byCraig Weissman, filed Oct. 4, 2006, which is incorporated in itsentirety herein for all purposes. Invocations to applications may bedetected by one or more system processes, which manages retrievingapplication metadata 416 for the subscriber making the invocation andexecuting the metadata as an application in a virtual machine.

Each application server 400 may be communicably coupled to databasesystems, e.g., having access to system data 325 and tenant data 323, viaa different network connection. For example, one application server 400₁ might be coupled via the network 314 (e.g., the Internet), anotherapplication server 400 _(N-1) might be coupled via a direct networklink, and another application server 400 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 400 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 400 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 400. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 400 and the user systems 312 to distribute requests to theapplication servers 400. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 400. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 400, and three requests fromdifferent users could hit the same application server 400. In thismanner, system 316 is multi-tenant, wherein system 316 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 316 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 322). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 316 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant specific data, system 316 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 312 (which may be client systems)communicate with application servers 400 to request and updatesystem-level and tenant-level data from system 316 that may requiresending one or more queries to tenant data storage 322 and/or systemdata storage 324. System 316 (e.g., an application server 400 in system316) automatically generates one or more SQL statements (e.g., one ormore SQL queries) that are designed to access the desired information.System data storage 324 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects. It should be understood that “table” and “object” may be usedinterchangeably herein. Each table generally contains one or more datacategories logically arranged as columns or fields in a viewable schema.Each row or record of a table contains an instance of data for eachcategory defined by the fields. For example, a CRM database may includea table that describes a customer with fields for basic contactinformation such as name, address, phone number, fax number, etc.Another table might describe a purchase order, including fields forinformation such as customer, product, sale price, date, etc. In somemulti-tenant database systems, standard entity tables might be providedfor use by all tenants. For CRM database applications, such standardentities might include tables for Account, Contact, Lead, andOpportunity data, each containing pre-defined fields. It should beunderstood that the word “entity” may also be used interchangeablyherein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “Custom Entities and Fields ina Multi-Tenant Database System”, and which is hereby incorporated hereinby reference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment is included in at least one embodimentof the invention. The appearances of the phrase “in one embodiment” invarious places in the specification are not necessarily all referring tothe same embodiment.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

1. A method for evaluating bytecode in an on-demand service environment,the method comprising: receiving a request to compile source code in amultitenant database environment; wherein the multitenant databasestores data for multiple client entities each identified by a tenantidentifier (ID) and the user is one of one or more users associated withthe tenant ID, wherein users of each client entity can only access dataidentified by a tenant ID associated with the respective client entity,and wherein the multitenant database is a hosted database provided by anentity separate from the client entities, and provides on-demanddatabase service to the client entities; inserting within the sourcecode one or more limit enforcement mechanisms to monitor utilization ofone or more corresponding resources within the multitenant databaseenvironment; compiling the source code to generate executable code;executing the executable code within the multitenant databaseenvironment; evaluating resource utilization for the one or moreresources in response to executing code corresponding to at least one ofthe limit enforcement mechanisms.
 2. The method of claim 1 wherein theat least one limit enforcement mechanism comprises a synchronousgovernor mechanism.
 3. The method of claim 2 wherein the synchronousgovernor mechanism monitors at least one of a processor usage, a memoryusage and a bandwidth utilization.
 4. The method of claim 1 wherein theat least one limit enforcement mechanism comprises an interrupt-basedgovernor mechanism.
 5. The method of claim 4 wherein the interrupt-basedgovernor mechanism monitors at least one of a processor usage, a memoryusage and a bandwidth utilization.
 6. The method of claim 1 wherein thelimit enforcement mechanism comprises at least aself-incrementing/decrementing counter.
 7. The method of claim 1 whereinthe limit enforcement mechanism is triggered during execution ofbytecode.
 8. The method of claim 1 wherein the limit enforcementmechanism causes, in response to a pre-selected threshold beingexceeded, execution of the code.
 9. The method of claim 1 wherein thelimit enforcement mechanism causes, in response to a pre-selectedthreshold being exceeded, tearing down of the code structure.
 10. Anarticle comprising a computer-readable medium having stored thereoninstructions that, when executed, cause one or more processors toevaluate bytecode in an on-demand service environment by: receiving arequest to compile source code in a multitenant database environment;wherein the multitenant database stores data for multiple cliententities each identified by a tenant identifier (ID) and the user is oneof one or more users associated with the tenant ID, wherein users ofeach client entity can only access data identified by a tenant IDassociated with the respective client entity, and wherein themultitenant database is a hosted database provided by an entity separatefrom the client entities, and provides on-demand database service to theclient entities; inserting within the source code one or more limitenforcement mechanisms to monitor utilization of one or morecorresponding resources within the multitenant database environment;compiling the source code to generate executable code; executing theexecutable code within the multitenant database environment; evaluatingresource utilization for the one or more resources in response toexecuting code corresponding to at least one of the limit enforcementmechanisms.
 11. The article of claim 10 wherein the at least one limitenforcement mechanism comprises a synchronous governor mechanism. 12.The article of claim 11 wherein the synchronous governor mechanismmonitors at least one of a processor usage, a memory usage and abandwidth utilization.
 13. The article of claim 10 wherein the at leastone limit enforcement mechanism comprises an interrupt-based governormechanism.
 14. The article of claim 13 wherein the interrupt-basedgovernor mechanism monitors at least one of a processor usage, a memoryusage and a bandwidth utilization.
 15. The article of claim 10 whereinthe limit enforcement mechanism comprises at least aself-incrementing/decrementing counter.
 16. The article of claim 10wherein the limit enforcement mechanism is triggered during execution ofbytecode.
 17. The article of claim 10 wherein the limit enforcementmechanism causes, in response to a pre-selected threshold beingexceeded, execution of the code.
 18. The article of claim 10 wherein thelimit enforcement mechanism causes, in response to a pre-selectedthreshold being exceeded, tearing down of the code structure.
 19. Anapparatus for evaluating bytecode in an on-demand service environment,the method comprising: means for receiving a request to compile sourcecode in a multitenant database environment; wherein the multitenantdatabase stores data for multiple client entities each identified by atenant identifier (ID) and the user is one of one or more usersassociated with the tenant ID, wherein users of each client entity canonly access data identified by a tenant ID associated with therespective client entity, and wherein the multitenant database is ahosted database provided by an entity separate from the client entities,and provides on-demand database service to the client entities; meansfor inserting within the source code one or more limit enforcementmechanisms to monitor utilization of one or more corresponding resourceswithin the multitenant database environment; means for compiling thesource code to generate executable code; means for executing theexecutable code within the multitenant database environment; means forevaluating resource utilization for the one or more resources inresponse to executing code corresponding to at least one of the limitenforcement mechanisms.